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TNTHE CLAIMS: 
Amended claims follow: 

1 . (Currently Amended) A system for identifying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and macro 
virus definition data files with each index referencing one or more of the macro 
virus definition data files and each macro virus definition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macro, the sets of the indices and the macro virus definition data files being 
organized into a hierarchy according to macro virus families based on a type of 
application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as suspect strings into 
a hierarchical parse tree; 

a macro virus checker traversing the hierarchical pars e tree to retri e v e 
each s usp e ct string and comparing theeach suspect string to the macro virus 
attributes defined in the one or more macro virus definition data files for each 
macro virus family in the macro virus definitions database and determining each 
macro \'irus family to which the suspect string belongs from the index for each 
macro virus definition data file at least partially containing the suspect string; 

the macro virus checker parsing the macro virus attrib utes from one or 
more file objects and analyzing the macro virus definiti on data files by index for 
each macro virus family: and 
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ih. ryy^rrn virtis check er iterativelv re tHeving each mf^rro virus definition 
data file using rh. mHex for ea c h macro virus family and providing the macro 
virus attribute<^ defined in the retrieved macro virus definition data file. 

2. (Original) A system according to Claim 1, further comprising: 
the macro virus definition data files being indexed into the macro virus 

famines categorized by a replication method employed. 

3. (Previously Amended) A system according to Claim 1, wherein the 
suspect string comprises part of the suspect file comprising a plurality of 
individual suspect strings. 

4. (Previously Amended): A system according to Claim 3, fiirther 
comprising: 

the macro virus checker identifying a replication method common to a 
plurality of the individual suspect strings in the suspect file. 

5. (Original) A system according lo Claim 4, further comprising: 
the macro virus checker identifying the macro virus family by which the 

common replication method is indexed. 

6. (Original) A system according to Claim 1, further comprising: 
the macro virus definitions database storing string constants common to 

each macro virus family in the macro virus attributes for the macro virus 
definition data files; and 

the macro virus checker comparing the sxxspect string to the string 
constants in the one or more macro virus definition data files for each macro virus 
family. 

7. (Original) A system according to Claim 6, fiirther comprising: 

a parameter specifying a threshold to matches of commonly shared string 
constants. 
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8. (Original) A system according to Claim 6, further comprising: 
a parameter specifying a minimum length of commonly shared string 

constants. 

9. (Original) A system according to Claim 1, further comprising: 
the macro virus definitions database storing source code text common to 

each macro virus family in the macro virus attributes for the macro virus 
definition data files; and 

the macro virus checker comparing the suspect string to the source code 
text in the one or more macro virus definition data files for each macro virus 
family. 

1 0. (Original) A system according to Claim 9, further comprising: 

a parameter specifying a threshold to matches of commonly shared source 
code text. 

1 1 . (Original) A system according to Claim 9, further comprising: 
a set of keywords used in the stored source code text to identify each 

replication metliod employed. 

12. (Original) A system according to Claim 1 , further comprising: 

the macro virus checker resetting the index referencing one or more of the 
macro virus definition data files for at least one macro virus family and creating a 
new macro virus definition data file entry comprising an index referencing one or 
more macro virus definition files. 

13. (Original) A system according to Claim 12, further comprising: 
the new macro virus definition data file entry defining the macro virus 

attributes by storing at least one of a string constant and source code text 

14. (Cancelled) 
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15. (Currently Amended) A system according to Claim 44L further 
comprising: 

the macro virus checker cross referencing al least one of a string constant 
and source code text from the piirsed macro file attributes against the macro virus 
attributes defined in the virus definition data files. 

16. (Cancelled) 

17. (Currently Amended) A method for identifying a macro virus 
family using a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices 
and macro virus definition data files with each index referencing one or more of 
the macro virus definition data files and each macro virus definition data file 
defining macro virus attributes for known macro viruses that are each comprised 
of at least one macro; 

organizing the sets of the indices and the macro virus definition data files 
into a hierarchy according to macro virus families based on a type of application 
to which the macro applies; 

parsing a suspect file into tokens comprising one of individual string 
constants and source code text ;uid storing the tokens as suspect strings into a 
hierarchical parse tree; 

traversing the hi e rarchical parse tre e to r e trieve caoh Guspoct string and 
comparing the each the suspect string to the macro virus attributes defined in the 
one or more macro virus definition data files for each macro virus family in the 
macro virus definitions database; and 

determining each macro virus family to which the suspect string belongs 
firom the index for each macro virus definition data file at least partially 
containing the suspect string; 

parsing the macro virus attributes fi-om one or more file objects and 
analvzing the macro virus definition data files by index for each macro virus 
family: and 
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iterativelv retrieving each macro virus definitio n data file using the index 
for each macro virus family and providing the macro virus attributes defined in 
the retrieved macro virus definition data file. 



] 8. (Original) A metliod according to Claim 1 7, ftjrther comprising: 
indexing the macro virus definition data files into the macro virus families 
categorized by a replication method employed. 

19. (Previously Amended) A method according to Claim 17, fiirther 
comprising: 

providing the suspect string as part of the suspect file comprising a 
plurality of individual suspect strings. 

20. (Previously Amended) A method according to Claim 19, further 
comprising: 

identifying a replication method common to a plurality of the individual 
suspect strings in the suspect file. 

21 . (Original) A method according to Claim 20, further comprising: 
identifying the macro virus family by which the common replication 

method is indexed. 

22. (Original) A method according to Claim 17, further comprising: 
storing string constants common to each macro virus family in the macro virus 
attributes for the macro virus definition data files; and 

comparing the suspect string to the string constants in the one or more 
macro virus definition data files for each macro virus family. 

23. (Original) A method according to Claim 22, further comprising: 
applying a threshold to matches of commonly shared string constants. 

24. (Original) A mediod according to Claim 22, fiuther comprising: 
designating a minimum length of commonly shared string constants. 
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25. (Original) A method according to Claim 17, further comprising: 

storing source code text common to each macro virus family in the macro 
virus attributes for the macro virus definition data files; and 

comparing the suspect string to the source code text in the one or more 
macro virus definition data files for each macro virus family. 

26. (Original) A raetliod according to Claim 25, further comprising: 
applying a threshold to matches of commonly shared source code text. 

27. (Original) A method according to Claim 25, further comprising: 
defining a set of keywords used in the stored source code text identifying each 
replication method employed. 

28. (Original) A method according to Claim 17, further comprising: 
resetting the index referencing one or more of the macro virus definition 

data files for at least one macro virus family; and 

creating a new macro virus definition data file entry comprising an index 
referencing one or more macro virus definition files. 

29. (Original) A method according to Claim 28, further comprising: 
defining the macro virus attributes for the new macro virus definition data 

file entry by storing at least one of a string constant and source code text. 

30. (Cancelled) 

3 1 . (Currently Amended) A method according to Claim ^17, further 
comprising: 

cross referencing at least one of a string constant and source code text 
from the parsed macro file attributes against the macro virus attributes defined in 
the virus definition data files. 

32. (Cancelled) 
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33. (Currently Amended) A computer-readable storage medium 
holding code for performing the method according to Claims 17, 18, 19, 22, 25^ or 
28 , 30 , or 32 . 

34. (Currently Amended) A system for identiiying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 

one or more of the macro virus definition data files referenced by 
the associated index v/ith each macro virus definition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macro; 

a hierarchy organized according to a macro family to which each 
of the sets of the indices and the macro virus definition data files belong based on 
a type of application to which tlie macro applies; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as strings into a 
hierarchical parse tree; 

a macro virus checker traversing tho hierarchical parse troo to rotrievo the 
Gtrings ond-comparing one or more strings stored in a suspect file to the macro 
virus attributes defined in the one or more macro virus definition data files for 
each macro virus family in the macro virus definitions database and determining 
the macro virus family to which the suspect file belongs from the indices for each 
of the macro virus definition diita files at least partially containing the suspect file; 

the macro virus checker parsing macro virus attributes from one or more 
file objects and analyzing the macro virus definition data files bv index for each 
macro virus family: and 

the macro virus checker iterativelv retrieving each macro viru s definhion 
data file using the index for each macro virus family and prov iding the macro 
virus attributes defined in the retrieved macro virus definition data file . 
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35. (Previously Amended) A system according to Claim 34, further 
comprising: 

each macro virus family defined according to a replication method common to 
each of the macro virus definition data files associated with one such index. 

36. (Original) A system according to Claim 34, fiirther comprising: 

the macro virus definitions database storing at least one of string constants and 
source code text common to each macro virus family in the macro virus attributes for the 
macro virus definition data files; and 

the macro virus checker comparing the suspect string to the at least one of the 
string constants and the source code text in the one or more macro virus definition data 
files. for each macro virus family. 

37. (Original) A system according to Claim 36, further comprising: 
the macro virus checker applying a threshold to matches of at least one of 

commonly shared string constants and commonly shared source code text. 

38. (Original) A system according to Claim 36, further comprising: 

the macro virus checker designating a minimum length of commonly shared 
string constants. 

39. (Currently Amended) A method for identifying a macro virus family using 
a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, fiirther comprising: 

referencing one or more of the macro virus definition data files by the 
associated index with each macro virus definition data file defining macro virus attributes 
for known macro viruses that are each comprised of at least one macro; 

organizing the sets of the indices and the macro virus definition data files into a 
hierarchy according to macro virus families based on a type of application to which the 
macro applies; 
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parsing a suspect file into tokens comprising one of individual string constants 
and source code text and storing the tokens as strings into a hierarchical parse tree; 

tra ver s in g t he hi er ar c hi c al pan? Trf^f tp r^^tri^^^ r . trinfrn and -comparing the 
strings to the macro virus attributes defined in the one or more macro virus definition 
data files for each macro virus family in the macro virus definitions database; 

determining the macro virus family to which the suspect file belongs fi-om the 
indices for each of the macro virus definition data files at least partially containing the 
suspect file; 

parsing macro virus attributes from one or more file objects and analyzing the 
macro virus definition data files by index for ea ch macro virus family; and 

iterativelv retrieving each macro virus definition data file u sing the index for each 
macro virus family and providing the macro vir us attributes defined in the retrieved 
macro virus definition data file . 

40 (Previously Amended) A method according to Claim 39, further 
comprising: 

defining each macro virus family according to a replication method common to 
each of the macro virus definition data files associated with one such index. 

4L (Original) A method according to Claim 39, fiirther comprising: 

storing at least one of string constants and source code text common to each 
macro virus family in the macro virus attributes for the macro virus definition data files; 
and 

comparing the suspect string to the at least one of the string constants and the 
source code text in the one or more macro virus definition data files for each macro virus 
family. 

42. (Original) A method according to Claim 41, further comprising: applying 
a threshold to matches of at least one of commonly shared string constants and commonly 
shared source code text. 
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43 . (Original) A method according to Claim 4 1 , further comprising: 
designating a minimum length of commonly shared string constants. 

44. (Original) A computer-readable storage medium holding code for 
performing the method according to Claims 39. 40, or 41 . 
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